diff --git a/level3/Ressources/walkthrough.md b/level3/Ressources/walkthrough.md new file mode 100644 index 0000000..9af22b0 --- /dev/null +++ b/level3/Ressources/walkthrough.md @@ -0,0 +1,7 @@ +We can use printf format string attack, with %n we can write a value at any position. We see in the code we need have the address 0x804988c to equal 64. So we need to write 64 characters with printf and then have %n point on 0x804988c. + +Printf has a variable number of arguments, the first of them is always supposed to be a string with format indicators. if we have n format indicators we are supposed to have n+1 arguments. If we call with less than that, printf is still gonna search for them on the stack anyway, we can use that to our advantage. + +We need to find the start of our string using %8x until it print 41414141, then we replace it with 0x804988c, and the last %x with a %s (or use %m$s, m replaced by the number of x needed) + +